On Mon, Jul 30, 2001 at 02:20:27AM +0400, Alexey Kuznetsov wrote:
> > does this somehow explain why this whole issue doesn't apply to the loopback
> > devices?
>
> Ratelimit checks are simply skipped for it, they apply only to icmps,
> which are going to be sent to network.
>
> Source of the problem was that icmp holds single variable for rate, but still
> pretends to allow setting different rates for different types of messages.
> Algo solves this assigning different costs to different types, but
> it breaks when costs are strongly different, so that low cost one (echo reply
> in this case) suppresses high cost (icmp errors) too strongly
> for some short time. nmap sends tight burst of udp messages (which is crazy
> anyway, icmp errors except for a few will be dropped in any case),
> after echo and all the icmp errors inevitably fall to this dead interval.
in some way this "pretending to be a feature" issue should be cleaned up.
consequently since there is only one token bucket, there can only be one
icmp rate limit. we can add a icmp type mask to enable/disable rate limiting
for certain types.
or we could add a bunch of token buckets to dst_entry, which would make the
whole thing overbloaed.
using lazy instantation would be the third option i could think of. change
rate_last+rate_token to a token bucket reference only used if needed.
in the latest case, one should discipline route.c to keep hands of
rate_token+rate_last.
clemens
|